BSides Munich 2024

In order to ensure efficient and timely responses to cyber security incidents, it is of utmost importance to consistently practice their management. This typically entails substantial effort in terms of organizing and conducting exercises. In this workshop, I will present an innovative and engaging gamified approach to address this challenge, employing the "Backdoors and Breaches" framework.

IoT devices often lack robust security, making them prime targets for attackers. This workshop offers participants hands-on experience in accessing and analyzing the firmware of a real-world IoT device. Working in small groups, participants will be provided with real-world devices and the necessary hardware to dump the firmware from flash memory chips and analyze other open communication interfaces. Using Ghidra, participants will reverse engineer the firmware to uncover potential vulnerabilities. Additionally, the workshop will cover common vulnerabilities in WiFi and Bluetooth Low Energy communication.

In our workshop, we would like to show you and explain the emerging dangers of machine learning. Together we will develop a threat model to improve the security of your machine learning applications.

Zeek is an open-source network security monitor (NSM) and analytics platform that has been around for quite some time (since the mid-90s). It is used at large university campuses and research labs, but in the past few years, more and more security professionals in the industry have turned their attention to this fantastic tool.

But Zeek is so much more than just a NIDS generating alerts (notices) and log files! Zeek's scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting brute-force attacks, or, most importantly, interfacing with external sources, such as Python! The Zeek Python bindings allow us, the analysts, to use powerful Python libraries such as Numpy, Pandas, and Tensorflow and apply machine learning-based detection on network traffic.

During this two-hour workshop, we will learn about the following topics:
- Super fast introduction to Zeek (architecture, events, logs, signatures, etc.)
- Using machine learning and data science tools on Zeek logs (as an example, we will use Fourier Analysis to detect C2 beaconing)
- Super fast crash course in Zeek scripting (just enough to understand how to create new logs)
- Connecting Zeek and Python via the Zeek Broker Communication Framework
- Using machine learning tools in Python on the data we receive from Zeek for detection (as an example, we will use convolutional neural network and random forest models to compare them, and then use them to find unknown malware in live network traffic)

Requirements for the workshop:
- A laptop with at least 16 GB of RAM and more than 50 GB of free disk space (VT-x support must be enabled on the host system).
- Application to run Virtual Images (type-2 hypervisor): VMWare Workstation Pro (recommended), VMWare Workstation Player, VMWare Fusion, or VirtualBox.
- Only 64-bit Intel-compatible (Intel or AMD) processors are supported. WARNING: ARM-based (like Apple Silicon, Qualcomm Snapdragon, some Microsoft Surface laptops) devices cannot perform the necessary virtualization and therefore cannot be used for the workshop.

You always wanted to know how web applications are getting hacked? This is your chance. Learn how attackers will get into your web application and how you can defend.

Velociraptor is an open-source tool developed by Velocidex (now Rapid7) to conduct scalable forensic analyses for large infrastructures. The client-server system allows analysts to distribute forensic queries to many endpoints and provides notebooks for interactive reports. Analysts can use the integrated Velociraptor Query Language to create queries and extend Velociraptor.

This workshop provides an introduction to incident response with Velociraptor.

In her keynote she will show the unique development of cyber security and the growth of its importance, its impact on the health of today's experts and what each and everyone can do about it every day.

KakaoTalk is the WhatsApp of South Korea with more than 100 million downloads from the Google Playstore. In this talk we show how multiple vulnerabilities in a chat app can lead to the disclosure of users' messages. We do this by presenting an account takeover "one-click" exploit in KakaoTalk's regular chat room without breaking cryptography or escaping the app's sandbox. We also release our tooling so that fellow security researchers can dig into KakaoTalk's broad attack surface to find more bugs.

Threat intelligence is one of the most critical lines of defense today for safeguarding organizations from malware and other potential attack vectors that can compromise business continuity and stability. This talk will delve into the design and implementation of a sophisticated threat intelligence feedback loop, leveraging machine learning to classify and manage millions of potential Indicators of Compromise (IOCs), aggregating and analyzing huge amounts of data in near real time.

This system built upon a robust cloud native & OSS stack powered by Kubernetes and Prometheus continuously scans the internet, social media, and various blogs, employing sentiment analysis to gauge the potential maliciousness of IOCs, which include domains, IP addresses, user agents, browser extensions, URIs, URLs, IP ranges, and more. A classification tree model then assigns a "maliciousness" score to each IOC.

Malicious IOCs identified by the model are aggregated into a list and deployed into the production environment to block network communications involving these IOCs. The production environment generates feedback on the effectiveness of these blocks, summarizing user complaints and the frequency of block occurrences to assess the validity of the IOCs. The unique nature of this feedback is its ability to be looped back into the machine learning model rapidly from the users and network hosts, enabling near real time updates and refinement of the IOC classification scores. The model re-evaluates the IOCs to determine their legitimacy, significantly minimizing false positives, enabling the detection of novel threats as they evolve and happen, enhancing overall accuracy of the threat intelligence model. This continuous feedback loop allows the model to improve over time and ensures that the system adapts dynamically to emerging threats, maintaining robust organizational security.

Join us to unpack how this feedback loop was built and works under the hood, its impact on threat intelligence and its continuous evolution, and the advancements in machine learning that drive advancements across the security domain.

In the intricate landscape of cybersecurity, the ability to uncover hidden threats and analyze system behaviors is paramount.

The /proc filesystem, a critical component of Unix-like operating systems, serves as a treasure trove of real-time data and system information. In this talk, "/proc for Security Analysts," will delve into the forensic value of /proc, demonstrating how it can be leveraged to detect rootkits, uncover anomalies, and gain a profound understanding of the operating system.

Participants will learn how to navigate and interpret the vast array of data within /proc, equipping them with the skills to enhance their security analyses and bolster system defenses.

Meant for a less-offensive but still technical audience, this talk presents a hands-on look at Linux container post-compromise. It will cover why a hacker compromises a container and what he hopes to get out of it, C2 comms from the container back to the attacker, information extraction, and breaking out and then into other containers.

Throughout, the concept of what a container is will be a recurring theme, starting as a config which runs an application and then refined as the talk progresses to Linux processes which share common namespaces.

The talk is aimed at giving blue teams, systems administrators, and devops engineers a clearer picture of how an attacker could interact with what they create and defend with the ultimate goal of better-informed defensive and architectural choices. Pentesters and red teamers should also find it helpful.

It is not a checklist of configuration settings or a magic SIEM/SOAR/such query but rather a different point of view. There will be no 0days or kernel tomfoolery of the cc exploit && ./exploit variety but rather good old-fashioned Linux sneakiness and shell gymnastics in the modern age.

After years of acquiring Red Teaming skills, Senior Red Teamers (sometimes unexpectedly) grow into a lead position at some point in their career.
This talk focuses less on the technical facets and more on the challenges that young leaders with a strong technical background may face.
It will also look at how good leadership can contribute to employee development and retention, how innovation and automation can succeed without sacrificing quality, and how to build effective Red Teams.

Today, a prep phase against endpoint protection (EPP) and endpoint detection and response (EDR) products is part of every red team engagement, and preparing to create evasive malware that bypasses the targeted EDR to gain initial access can often be very time consuming. In general, when preparing malware such as a shellcode loader or similar, we want to be as sure as possible that our malware will be able to bypass the targeted EDR. The simplest approach is to start building malware and use trial and error to see if your malware is able to evade the EDR (evasion defined as not prevented and not detected) or if the malware is caught by the EDR. In order to build not only better, but more effective malware, it really helps to go beyond trial and error testing and start investing time and energy in reversing and debugging EDRs and trying to better understand the logic of the detection mechanisms they implement.

To build more evasive or effective malware, you need to know your enemy, in this case the EDR. By now most community members are aware that modern EDRs use things like the Antimalware Scan Interface (AMSI) to detect malicious powershell activity, or use user mode hooking to detect potentially malicious behaviour in the context of Windows APIs, or use kernel drivers to register various types of kernel callback routines such as ProcessNotifiyRoutine to detect when a new process is created, and so on. However, in addition to these well-known mechanisms, some EDRs use more sophisticated and unconventional mechanisms that have been used by the game hacking community for many years. By looking at these EDRs more closely, by trying to reverse engineer and debug them, some of these detections can be interpreted as some tricky traps for malware influenced by the game hacking community. In my talk "EDR Analysis: An introduction to reversing sophisticated detection," I will provide insights into how to debug, reverse, and understand these EDR detection mechanisms in detail, as well as how to evade them.

With the advent of verified/secure boot, bootloaders have become critical components in the chain of trust for embedded Linux systems. This talk will explore common security issues in verified boot implementations and provide an in-depth analysis of vulnerabilities found in popular bootloaders. Attendees will learn about the implications of these vulnerabilities and practical mitigation strategies to enhance device security.

Space missions have increasingly been the subject in the context of security breaches and satellite hacks. The majority of discussions revolve around direct communication and access to spacecraft through means such as Software Defined Radio. However, the reality is that this approach isn't practical for most adversaries, as it requires substantial resources and is easily detectable due to the power and radio frequencies required to command a spacecraft. Instead, adversaries might shift their focus away from the Space Segment and opt for a more practical approach, such as accessing and exploiting the Ground Segment vulnerabilities and flaws in order to gain control over spacecraft. Every space mission comprises custom-made hardware and software components, which interact with each other utilizing dedicated protocols and standards designed and developed for this sole purpose. Numerous potential failure points can adversely impact a space mission, many of which persist on the ground. Considering the essential services they facilitate and the extent to which contemporary society relies on space technology, each component utilized in space missions should be regarded as integral to critical infrastructure and treated as such, particularly from a security standpoint. This study centers on the Space Link Extension (SLE) protocol, which is employed as a standard for communication between mission data systems and ground stations by various space agencies and organizations, including NASA and ESA. We will address the security concerns inherent in the SLE protocol. At the same time, we demonstrate methods and techniques malicious actors can employ to conduct a Denial of Service (DoS) or tap into the ground station communications, gaining control over an actual spacecraft. We will conclude this publication by presenting the reader with a possible mitigation strategy that we believe should be employed at the SLE protocol level. Additionally, we will outline a forecast for future work, detailing both planned endeavors and those already in progress, to further expand on this research.

"Congratulations, you're the new security champion for your team! Now make sure to get all these important security topics done, okay? But don't get in the way of feature development."

Even if you're not an officially appointed champion, building secure products might be dear to you. It definitely is to me. The problem is that security is one of those aspects that people love to advertise, deem important, and still deprioritize and postpone for "later" (whenever that is). And sometimes, it's even me saying "later." So, how do we make sure "later" isn't "never"?

In this talk, I'll take you on my own journey, from learning more about security to supporting our information security team. Spreading awareness enabled us to include known topics in our roadmap and finally make our product more secure. Creating an application security strategy was key to finding the next most important measure while allowing us to share our endeavors across teams. We updated dependencies to get our components in shape before reviving automated dependency checks in our pipeline to combat prevailing alert fatigue. We fixed reported security issues, got rid of insecure implementations to reduce our product's attack surface, and more - all this while still delivering new features and reducing other technical debt.

Hear about what worked, especially what didn't, and what we really shouldn't have done in the first place. I can't offer you a magic recipe, yet I will share the pieces of advice that actually helped make things a bit more secure than yesterday every day.

In the Information Security world, where many researchers crave to enhance their resume, the aid represented by the concepts of CVE and CVSS is paradoxally and slowly disrupting the vulnerability categorization and management process. Subject to disputed claims by the vendors and inflated severity ratings, the CVE assignment process has become a battleground for recognition, resulting in bogus submissions and unrealistic scores. That's why, for this paper, we have ironically coined the term "Mystical Vulnerabilities": security flaws that are not supposed to be so, but they get filed anyway, exploiting the lack of targeted inspection by MITRE or the NVD. This flawed system compels organizations to allocate resources based on CVE scores, and almost highlight the need for a "scoring system for the scoring system". A shift towards a more filter-oriented culture and more transparent CVE assignment practices is imperative to navigate the complexities of the arising cyber threats. This paper proposes mitigations to this problem, from a cultural change, to additional scoring systems out there for complementing and filtering CVEs, finishing with interesting clean sources and databases.

It often doesn't take much for a phishing email to fool its victim, but that doesn't mean there isn't more to it: This talk will look at technical attacks on email that have the potential to elevate the risk of phishing attacks - if that was even necessary - and discuss what it would take to mitigate these attacks.

Writing the report is the least favorite part of most penetration tests. This talk gives a number of tips on how to create better reports in less time.

Threat actor tactics in a classic on-premises environment are well documented and understood. For example, extracting credentials from memory and then pass-the-hash is a common technique to move laterally in Windows. But how do threat actors move laterally between cloud workloads and compute instances? What are the common persistence techniques, and what are the high value targets we need to protect?

Alexander is Principal Forensic Consultant at Truesec and will in this session share his learnings from over 10 000 billable hours of enterprise forensics. You will learn how cloud tactics differ from on-premises and see the latest techniques used in real attacks against cloud infrastructure.

Intel Processor Trace (Intel PT) offers a powerful tool for capturing detailed control flow information of software running on Intel CPUs. This presentation explores how Intel PT, combined with Linux's perf tool can be leveraged for dynamic control flow analysis and reverse engineering. Attendees will learn about Intel PT's architecture and configuration, techniques for collecting and interpreting trace data using perf, and practical applications in analyzing software behavior, detecting anomalies, and uncovering vulnerabilities in combination with common reverse engineering tools. Real-world case studies and demonstrations will showcase the effectiveness of Intel PT and perf in enhancing software security.

Security teams are often short-staffed and overburdened, but many of their tasks can be automated to alleviate this pressure. Automation enables the offloading of repetitive and mundane manual work, allowing security teams to focus on more complex and engaging tasks. Furthermore, automation facilitates the execution of large-scale security tasks that are not achievable manually.

This presentation will begin by exploring the specific automation example of External Attack Surface Monitoring (EASM), demonstrating its implementation using open-source tools.
Following this, the discussion will broaden to cover the implementation of a generic security automation platform. Examples will be provided of the types of tasks that can be automated, how they can be implemented and the tools available to achieve this.

While this talk aligns with DevSecOps principles, it is distinct in that it does not focus on CI/CD pipeline security. Instead, it addresses security automation that extends beyond security for software development activities.

In this light-hearted session led by experienced red teamers, participants will explore the intricate world of physical security breaches in corporate settings. The presentation will focus on practical techniques like caller-ID spoofing, social engineering, and rogue device deployment, alongside undetected infiltration and objective attainment. Through engaging narratives, including a night-time operation in a European high-security facility, the speakers will demonstrate how to navigate high-pressure scenarios. The talk aims to provide a clear understanding of physical breach dynamics, potential challenges, and their impact, empowering attendees with insights into the art of physical intrusion.

Loosing your smartphone is painful enough, but having your data on there exposed to others can
be devastating. This is why securing personal data on smartphones is of paramount importance.
Android's Full Disk Encryption (FDE) is a robust feature designed to protect user data, but what
happens when your device stops working and you need to recover your encrypted data on it?
Join David as he delves into the depths of Android's Full Disk Encryption code in his quest to
recover lost encryption keys.

There is an increase in new EU legislation that requires cyber security measures. This talk demonstrates how governance and engineering can work together to ensure resilience and security while at the same time delivering compliance.

The goal of this presentation is to give developers practical insight into the vulnerability analysis process and to provide them with ideas and tools they can use when the next vulnerability appears.

Discover the critical role of mainframe computing in today's digital landscape. This talk delves into the enduring relevance of mainframes, exploring how they underpin many of the world's most essential systems. We will address a series of emerging challenges that, if left unchecked, could converge into a perfect storm, threatening the stability and security of these vital infrastructure components. The session culminates with a live demonstration, showcasing a real-time hack of a mainframe, to highlight vulnerabilities and the importance of robust security measures.

How to keep penetration testers motivated in a fast-changing environment, continuously increasing technological complexity and high pressure due to limited time and budget? How to cultivate trust, collaboration and professional growth within pentesting teams? How to foster appropriate communication of findings in a "top secret world"?

Bettina will share strategies on how to keep penetration testing teams motivated, ensure fun and purpose at work as well as provide great value for organizations, ultimately leading to increased cybersecurity maturity.